Cyber Resilience

CVE-2026-6985

MediumPublic PoC

Published: 25 April 2026

Published
25 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0022 44.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6985 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Cesanta Mongoose. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 44.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6985 is a vulnerability in Cesanta Mongoose versions up to 7.20, affecting the handle_opt function in the file /src/net_builtin.c within the TCP Option Handler component. The issue arises from manipulation of the optlen argument, which triggers an infinite loop, classified under CWE-404 and CWE-835. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating a moderate-impact denial-of-service condition.

The vulnerability can be exploited remotely by unauthenticated attackers with network access and low complexity, requiring no user interaction or privileges. Successful exploitation causes an infinite loop in the affected component, leading to low-impact availability disruption, such as resource exhaustion on the targeted system.

Mitigation is available through upgrading to Cesanta Mongoose version 7.21, which resolves the issue, as confirmed by the vendor following early notification. A public exploit is available, detailed in a GitHub proof-of-concept at https://github.com/dwBruijn/CVEs/blob/main/Mongoose/TCP_opt_dos.md, with additional advisory information at https://github.com/cesanta/mongoose/releases/tag/7.21 and VulDB entries.

EU & UK References

Vulnerability details

A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src/net_builtin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible…

more

to be carried out remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 7.21 is able to resolve this issue. Upgrading the affected component is advised. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables remote exploitation of a TCP option handler to trigger an infinite loop and resource exhaustion, directly mapping to application/system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1172Shared CWE-404
CVE-2025-22846Shared CWE-404
CVE-2024-55553Shared CWE-404
CVE-2025-29313Shared CWE-404
CVE-2026-2219Shared CWE-835
CVE-2026-2517Shared CWE-404
CVE-2026-33013Shared CWE-835
CVE-2026-1521Shared CWE-404
CVE-2026-1684Shared CWE-404
CVE-2026-26283Shared CWE-835

Affected Assets

cesanta
mongoose
7.0 — 7.21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and correction of flaws like CVE-2026-6985 through timely patching to version 7.21.

prevent

Implements denial-of-service protections at system entry points to prevent or limit the impact of the remote infinite loop attack causing resource exhaustion.

prevent

Mandates validation of network inputs such as the optlen argument to block manipulation that triggers the infinite loop in the TCP Option Handler.

References